Privacy Policy

1. Who we are

Zanaya ("Zanaya", "we", "us") provides an AI math tutor delivered through the Zanaya mobile app and related web platform. We are based in Sofia, Bulgaria, and we act as the data controller for the personal data described in this policy. For data created in the context of a school, the school may act as a joint or independent controller.

2. Scope of this policy

This policy applies to the Zanaya mobile applications (iOS and Android), the web platform at app.zanayamath.com, and this website. It does not apply to third-party services we link to, which have their own privacy policies.

3. Information we collect

Account information

• Name, role (student, parent, teacher, or school leader), and the school you belong to.
• Email address and/or username, and an authentication credential managed by our identity provider.
• An optional profile picture, which may be an uploaded image or a preset icon.

Learning data

• Answers, step-by-step working, and uploaded photos or documents of handwritten work submitted for analysis.
• Skill mastery, test and homework results, progress, and in-app activity used to build the personalized learning path.

Content you create

• Messages, posts, comments, and attachments you send through chat and class feeds.

Device & technical data

• A push-notification token for your device (if you enable notifications), so we can deliver alerts.
• Diagnostic data — app version, device model, operating system, and crash/error reports — collected to keep the app stable.

We do not use advertising trackers, and we do not sell personal data.

4. Children's data & parents

Zanaya is designed for school-age students, many of whom are children. Student accounts are created and managed within a school or by a linked parent. Where the law requires it, we rely on the school's authority or a parent's consent as the basis for processing a child's data.

A linked parent can view their child's profile and progress and act on the child's behalf in the app. We collect only the data needed to provide the tutoring service and we do not knowingly use children's data for marketing.

5. How we use information

• To provide the tutoring service — diagnosing skills, analyzing submitted work, and generating a personalized learning path.
• To create and secure accounts and authenticate users.
• To enable communication between students, parents, and school staff.
• To send service notifications you have enabled.
• To maintain, debug, and improve the app, including diagnosing crashes.
• To comply with legal obligations and protect the safety of users.

6. Legal bases (GDPR)

Where the EU General Data Protection Regulation applies, we process personal data on these bases:

• Contract — to deliver the service you or your school signed up for.
• Consent — for optional features such as push notifications, and where required for a child's data.
• Legitimate interests — to secure, debug, and improve the service, balanced against your rights.
• Legal obligation — where we are required to retain or disclose data by law.

7. Sharing & service providers

We share data only with service providers ("processors") who help us run Zanaya, under contracts that require them to protect it. We do not sell your data. Our key providers are:

We may also disclose data when required by law, or to protect the rights and safety of our users.

8. Where data is processed

We aim to process and store personal data within the European Union/European Economic Area, including our database and crash-monitoring providers. Some providers may process limited data in other regions; where they do, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

9. Retention & account deletion

We keep personal data for as long as your account is active and as needed to provide the service, then delete or anonymize it unless a longer period is required by law.

Deleting your account

You can request deletion directly in the app, from your profile screen:

• When you request deletion, your account is scheduled for removal and enters a 30-day grace period.
• During those 30 days you can cancel the request at any time by signing back in — nothing is lost.
• After the grace period, your personal data is permanently deleted or anonymized. Some content tied to shared activity (such as class messages) may be retained in anonymized form so conversations remain intact.

You can also ask us to delete your data by contacting us using the details below.

10. Your rights

Subject to applicable law, you have the right to access, correct, delete, or export your personal data, to object to or restrict certain processing, and to withdraw consent. To exercise these rights, contact us using the details below. You also have the right to lodge a complaint with your local data protection authority — in Bulgaria, the Commission for Personal Data Protection (CPDP).

11. Security

We protect personal data with encryption in transit, access controls, and reputable infrastructure providers. No system is perfectly secure, but we work to safeguard your information and to respond promptly to any incident.

12. Changes to this policy

We may update this policy as the service evolves or the law changes. We will revise the "Last updated" date above and, for material changes, provide a more prominent notice.

13. Contact us

For privacy questions or to exercise your rights, contact us at it@zanayamath.com. We are based in Sofia, Bulgaria.